Pre Login vs Always On

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Pre Login vs Always On

L0 Member

Hi, we are trying to decide between pre login VPN and always connected VPN...what do you guys use and why? FYI we use Okta for SAML/SSO and Azure AD for Identity.

From my understanding - pre login VPN doesn't support MFA or the ability to select WiFi before logging into Windows.  Is this correct? I so, how do you guys handle it? I've read about user certificates being an option but don't fully understand it.

For always on VPN we have been unable to get okta to work with Global Protect SSO, as it asks us to input a user/pass everytime we connect to VPN (Okta pops up), has anyone been able to get this to work? Are you users truly always connected without ever needing to log into vpn? Do you use MFA here? Thanks.


Cyber Elite
Cyber Elite

Cert example

Laptop get's cert somehow (either enrolled from Group Policy or through SCEP or manually installed).

For Pre-Login globalprotect uses cert.

Firewall permits Pre-Login users to limited resources (user can change expired password in domain etc).

For Post-Login 2FA.


Cookie example

Post-Login to portal generates cookie but does not accept cookie (this forces 2FA on portal).

Post-Login to gateway accepts cookie for 1 minute (in this case user don't get 2FA 2 times during login).

Pre-Login accepts cookie x number of days (but does not generate cookie).


Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Thanks, I think we are going to go with Always ON VPN and have it configured with Okta for SAML and AzureAD for Identity (we have Okta configured in Azure Enterprise Apps), so we get an Okta prompt for password for VPN...but from what I'm reading we can set it so that users should never have to be prompted for a password (or set it to once every 7 days or 30 days or something), but we are unable to get that working, any suggestions?

I do want to point out that we are using Prisma Access, which I believe is GP's newer version of VPN...not sure if that makes a difference

Cyber Elite
Cyber Elite

I understand that you want users to get 2FA only every 7 days?

Configure portal and gateway both to generate cookie and also accept cookie for 7 days.

In this case during 7 day period GlobalProtect automatically logs users in without 2FA prompt.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

1) I don't want users to get prompted for a password at all (I think that's the point of Always ON VPN)? But since we use Okta/AzureAD we are having issues with that where users are being prompted for a VPN password (Okta) every day.
2) Yes, MFA every 7 days would be nice.

Cyber Elite
Cyber Elite

You can't have SAML 2FA and users not being asked for passwords.

If you login to GlobalProtect and auth is SAML then GlobalProtect will open default browser where users can use password manager to store passwords.

For GlobalProtect to use browser instead of it's default interface go to Portal > App tab and change "Use Default Browser for SAML Authentication" setting to "Yes"

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

So you're saying we we didn't have Okta in place, and just integrated AzureAD with Prisma directly, we would still have the same issue of users needing to enter a password or click on their username (even though its the same as Windows) because we have SAML MFA turned on? Is there a way to make it to only require MFA and no passwords once every 7 days?

  • 6 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!